Weak vs Strong Passwords at Online Retailers

You may have heard of recent password breaches at
well-known web sites and might be wondering if the
passwords your registered customers use to checkout
at your ecommerce site are too weak and just how
strong do you need them to be.

Unfortunately, much of the common practices
regarding password security comes from the world of
securing corporate computer systems that employees
login to and is often poorly applicable to shoppers
logging in over the Internet.

First consider that you probably have hundreds of
thousands or millions of user-created passwords. A
hacker needs to be able to guess just a tiny
percentage of these passwords to be able to place a
good quantity of fraudulent orders shipped to an
address they provide or picked up in store by a
person they designate.

Can your password policies protect you?

Length vs Complexity

Traditionally, password length was considered the
main deterrent against cracking a password. An
8-character alphanumeric password, for example, can
have 1 trillion possibilities. 10 years ago this
would be considered plenty secure - even if the
hacker obtained access to the encrypted password, it
would have taken months and months to crack a single
password by which time it probably would have
changed. But today's GPU-accelerated computers can
test billions of combinations a second on a single
computer and can crack such a password in a day, so
for securing your laptop, your password should be
more like 15 characters long!

However, this doesn't apply to guessing online
passwords. A hacker can't send a billion requests a
second to your servers to brute-force-guess a
shopper's password. Or more accurately, your servers
can't respond to requests this quickly, so a
brute-force attack for even a 6-character password
(~200 billion possibilities) would take a year to
guess a single password.

The problem, though, is passwords created by
human beings are not random at all. (See
this recent study). People often use dictionary
words, which makes for only about 50,000
possibilities. A recent study by Dashlane revealed
that 55% of top 100 online retailers retailers allow
users to create such extremely weak passwords as
'password', '123456' or 'abc123'.

Some retailders do try to combat this by
introducing complexity requirements (mixed case,
numbers, punctuation) but this doesn't really help.
Many users make simple and predictable alterations
to a dictionary word, i.e. 'password' simply becomes
'Password1!'. At best, the hacker might need 2-3
additional variations per dictionary word, so it
becomes 150,000 possibilities.

Today's dictionary databases used by hackers even
contain such common obfuscation techniques as number
or symbol for letter substitutions (i.e. p@55word)
and even patterns formed by 'drawing lines' on the
keyboard. And, remember, the hacker doesn't need to
guess every password, they just need to guess a
handful of the weakest ones.

Hacker vs Retailer

So, can you, the retailer, protect your ecommerce
site against a hacker attack using such a
'complexity-aware' dictionary?

Could you lockout the user account after, say, 50
invalid login attempts? Unfortunately no, because,
you would then be hostage to the hacker who could
continually lock out all your customer accounts with
what becomes a denial of service attack.

Could you instead block the IP address that had
excessive login failures? First, you would have to
have a very high limit. For a major retailer, it
could be in the thousands? Why? Because with
billions of smartphones and computers accessing the
internet, there are not enough IP addresses for each
one. As a result, computers in large organizations,
some whole countries and many smartphones appear to
access your servers from just a handful of IP
addresses.

With such a high limit, given that hackers have
access to botnets with tens or even hundreds of
thousands of computers, each with a different IP
address, hackers could easily run through 150,000
combinations. Even if you use throttling techniques
hackers can guess many, many passwords, especially
over a longer period of time. Remember, unlike
corporate computer systems, your shoppers don't
regularly change their passwords on your site.

The real threat

So, it appears you can't block the hacker.
Security experts have always known that the most
secure password that people can actually remember is
a combination of words or a passphrase. Could you
get all your shoppers to use such a password when
they register? Perhaps you could if you require a
minimum of 15 characters and disallow whole word and
excessive same-character repetition and check
against commonly used keyboards patterns...

Sadly, even with all this, it won't stop
cybercriminals either. It turns out they actually
have a much better attack vector than brute-force
guessing. This attack vector relies on what has
always been considered a good security practice -
passwords that people can actually remember so they
don't write it down on a post-it and stick it to
their monitor.

This attack vector is phishing. If your customers
can actually remember their passwords, then hackers
can phish these passwords out of some of them. In
the world of mobile devices with small screeens, it
is surprisingly easy to phish retailer logins even
out of savvy users - see this
blog post for more details.

In the end, the
only guaranteed way to protect yourself against
hackers stealing shopper passwords (and to stop torturing your customers
with password hassles) is to completely get rid of user
passwords with a
password-less login
solution like CardPass.